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AMENDMENTS TO THE CLAIMS 



1. (Currently amended) A method of registering a non-configured network device in a 

telecommunications network, the method comprising the computer-implemented steps of: 
providing information identifvdng a trusted device registration service to a first non- 
configured network packet-routing device for use in obtaining a longer-lived 

symmetric key; 

providing trusted information to the trusted device registration service that certifies that 

the first device is a known device within a security realm; 
authenticating the first device to the trusted device registration service: 
registering the first device in the network at the trusted device registration service, 

wherein the trusted device registration service provides the first device with a 

longer-lived symmetric key; 
receiving a message fi'om the first device that requests network services, wherein the 

message fi-om the first device contains the longer-lived symmetric key; 
authenticating the first device based on the longer-Uved symmetric key r e ceiv e d firom th e 

first d e vic e; 

generating and providing a shorter-lived symmetric key to the first device based on 
authenticating the longer-lived symmetric key; 

receiving a request from a second network packet routing device to obtain a session key 
for secure communications between the second device and the first device, bas e d 
on auth e nticating th e short e r liv e d symmetric k e y, wh e r e in th e r e quest includes 
th e short e r - liv e d symm e tric k e y of th e first d e vic e : wherein the second device 
sends the request in response to receiving a request from the first device to obtain 
a session key on behalf of both the first device and the second device: 

authenticating the request from the second device based on authenticating the shorter- 
lived symmetric key of the first device, wherein the request from the second 
device includes the shorter-lived symmetric key of the first device: and 

generating and providing a symmetric session key to the second device for use in 

subsequent secure peer-to-peer communications between the first device and the 
second devic e, wherein the first device obtains the symmetric session key from 
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the second device without communication of e ith e r the first device or second 

d e vic e to a key management service or authoritative authentication servicet^ 
r e gist e ring th e first d e vic e in th e network at a trust e d devic e registration servic e ; 
auth e nticating th e first d e vic e to th e trust e d d e vic e registration s e rvic e ; and 
providing trust e d information to th e trusted d e vic e rogistration service that c e rtifi e s that 

the first d e vic e as a Icnown device within a s e curity r e alm; and 
providing information id e ntifying th e devic e r e gistration servic e to th e first d e vic e for use 

in obtaining the longer - liv e d symm e tric k e y. 

2. (Original) A method as recited in Claim 1, wherein the shorter-lived symmetric key is 
encapsulated in a ticket that includes data identifying a specified lifetime of the shorter- 
lived symmetric key. 

3. (Canceled). 

4. (Original) A method as recited in Claim 1, wherein the subsequent secure 
communications comprise successive symmetric encryption and decryption operations 
using the symmetric session key, and wherein the first device and second device carry out 
the subsequent secure communications without contact with a key management service or 
registration service. 

5. (Canceled). 

6. (Canceled). 

7. (Canceled). 

8. (Currently amended) A method of distributing cryptographic keys in a network, the 
method comprising the computer-implemented steps of: 
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providing a registration service identifier that identifies an administrative entity to a first 

non-configured network packet routing device; and providing a unique identifier 

of the first d e vic e to th e administrative e ntity; 
providing a unique identifier of the first device to the administrative entity; 
associating a d e vice private key a device public key with the first device in a secure data 

repository that is accessible by the administrative entity; 
authenticating the first device to the administrative entitv based on the device public kev 

associated with the first device: 
establishing a longer-lived symmetric key for the first device; 
authenticating the first device based on receiving the longer-lived symmetric key firom 

the first device; 

generating and providing a short-term symmetric key to the first device based on 
authenticating the longer-lived symmetric key; 

receiving a request fi"om a second network packet routing device to obtain a session key 
for secure communications between the second device and the first device, bas e d 
on auth e nticating th e short e r liv e d symm e tric k e y, wherein th e r e quest includ e s 
th e shorter lived symm e tric kev of the first devic e : wherein the second device 
sends the request in response to receiving a request fi'om the first device to obtain 
a session kev on behalf of both the first device and the second device: 

authenticating the request fi'om the second device based on authenticating the shorter- 
lived symmetric kev of the first device, wherein the request firom the second 
device includes the shorter-lived symmetric kev of the first device; and 

generating and providing a symmetric session key to the second device for use in 

subsequent secure peer-to-peer communications between the first device and the 
second device , wherein the first device obtains the symmetric session kev firom 
the second device without conmiunication of e ith e r the first device or s e cond 
d e vic e to a key management service or authoritative authentication servicet. 

r e gist e ring th e first d e vic e in the n e twork at a trust e d devic e r e gistration s e rvice; 

auth e nticating the first d e vic e to th e trust e d device r e gistration s e rvic e ; 

gen e rating trust e d information for the trust e d d e vic e r e gistration s e rvice that c e rtifi e s that 
th e first devic e as a laiown d e vic e within a s e curity r e alm; and 
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g e n e rating information identifying the d e vice rogistration servic e to the first devic e for 
us e in obtaining th e longer liv e d symmotrio key, 

9. (Currently amended) A method as recited in Claim 8, wherein the step of associating a 
device private pubUc key with the first device in a the secure d ata repository comprises 
the steps of generating a public key pair comprising a device pubUc key and a device 
private key and storing the device privat e public key in a database or directory that is 
accessible to the administrative entity. 

10. (Currently amended) A method as recited in Claim 8, wherein the step of associating a 
device privat e public key with the first device in a the secure data repository comprises 
the steps of generating a public key pair comprising a device public key and a device 
private key and registering the device privat e public key with a certification authority that 
is accessible to the administrative entity 

11. (Canceled). 

12. (Canceled). 

1 3. (Currently amended) A method as recited in Claim 8, wherein gen e rating trust e d 
information for the trusted registration s e rvic e providing a unique identifier of the first 
device to the administrative entity comprises the steps of creating and storing an 
association of a unique identifier of the first device and the device public key in a secure 
database that is accessible to the r e gistration s e rvic e administrative entitv. . and providing 
the imiqu e identifier from th e first d e vic e to the r e gistration s e rvic e . 

14. (Original) A method as recited in Claim 9, wherein establishing a longer-lived 
symmetric key comprises the steps of: 

generating the longer-lived symmetric key; 

encrypting the longer-lived symmetric key using the device public key; 
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encapsulating the encrypted longer-lived symmetric key in a device registration ticket; 
and 

sending the device registration ticket to the device. 

15. (Original) A method as recited in Claim 14, wherein encapsulating the encrypted key 
comprises encapsulating the encrypted longer-Uved symmetric key with poUcy 
information in the device registration ticket, wherein the policy information defines a 
validity interval of the encrypted longer-lived symmetric key. 

16. (Original) A method as recited in Claim 8, wherein generating and providing a short- 
term symmetric key to the first device includes the steps of encapsulating the short-term 
synmietric key in a short-term ticket granting ticket with associated policy information. 

17. (Currently amended) A method as recited in Claim 8, wherein the step of receiving a 
request firom a second device to obtain a session key for secure commimications among 
the second device and the first device comprises the steps of: 

receiving a first short-term ticket granting ticket that includes the short-term symmetric 

key of the first device; 
receiving a second short-term ticket granting ticket that includes the short-term 

symmetric key of the second device; 
decrypting the first and second short-term ticket granting tickets based on respective first 

and second shared secret keys; 
authenticating the short-term symmetric keys of the first device and second device based 

on the respective first and second shared secret keys; and 
generating and providing a symmetric session key to the second device for use in 

subsequent secure peer-to-peer communications between the first device and the 

second device without communication of either the first device or second device 

to a key management service or authoritative authentication service. 

1 8. (Currently amended) A method of estabUshing secure cryptographic peer-to-peer 
communication between a first network packet routing device and a second network 
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packet routing device in a network, the method comprising the computer-implemented 
steps of: 

providing a unique identifier of the first device to an administrative entity and receiving, 

in response, providing a registration service identifier that identifies an 

administrative entity to the first device; 
creating and storing a device privat e public key associated with the first device in a 

secure data repository that is accessible by the administrative entity; 
authenticating the first device to the administrative entitv bv sending a message fi-om the 

first device to the administrative entitv that is encrvpted using the device public 

keyi 

receiving a longer-lived symmetric key for the first device; 

authenticating the first device to a key management server using the longer-lived 

symmetric key of the first device; 
receiving a short-term symmetric key fi-om the key management server, based on 

authenticating the longer-lived symmetric key; 
generating a request to a second device to obtain a session key for seciu-e 

communications among the second device and the first device, based on 

authenticating the short-term symmetric key, wherein the request includes the 

short-term symmetric key of the first device; and 
receiving a synraietric session key fi"om the second device for use in subsequent secure 

peer-to-peer communications between the first device and the second device 

without communication of e ith e r the first device or s e cond d e vice to a key 

management service or authoritative authentication service; 
providing information to a r e gistration s e rvic e that provid e s assuranc e that th e first d e vice 

is a c e rtifi e d d e vic e ; 
auth e nticating th e first device to th e r e gistration s e rvic e ; 

g e n e rating information that provid e s assurance to a r e gistration s e rvic e that th e first 

device is a c e rtifi e d d e vic e ; and 
auth e nticating th e first d e vic e to the registration s e rvic e by s e nding a first m e ssag e fi'om 

th e first devic e to th e r e gistration s e rvic e that is e ncrypt e d using th e d e vic e public 

iw y • 
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19. (Currently amended) A method as recited in Claim 18, wherein the steps of creating and 
storing a device privat e public key with a associated with the first device in a secure data 
repository comprises the steps of generating a public key pair comprising a device public 
key and a device private key and storing the device privat e public key in a database or 
directory that is accessible to the administrative entity. 

20. (Currently amended) A method as recited in Claim 18, wherein the steps of creating and 
storing a device privat e public key with a associated with the first device in a secure data 
repository comprises the steps of generating a public key pair comprising a device public 
key and a device private key and registering the device privat e public key with a 
certification authority that is accessible to the administrative entity. 

21. (Canceled.) 

22. (Canceled.) 

23. (Previously Presented) A method as recited in Claim 18, wherein providing information 
to a registration service that the first device is a certified device comprises the steps of 
creating and storing an association of a unique identifier of the first device and the device 
public key in a secure database that is accessible to the registration service, and providing 
the unique identifier fi-om the first device to the registration service. 

24. (Original) A method as recited in Claim 19, wherein receiving a longer-lived synmietric 
key comprises the steps of receiving a device registration ticket that comprises the 
longer-lived symmetric key encrypted using the device public key. 

25. (Original) A method as recited in Claim 24, wherein the encrypted longer-hved 
symmetric key is encapsulated in the device registration ticket with policy information 
that defines a validity interval of the encrypted longer-lived symmetric key. 
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26. (Original) A method as recited in Claim 18, wherein receiving the short-term symmetric 
key comprises the steps of receiving the short-term symmetric key in a short-term ticket 
granting ticket with associated policy information. 

27. (Original) A method as recited in Claim 18, wherein the step of generating a request 
from a second device to obtain a session key for secure communications among the 
second device and the first device comprises the steps of generating a first short-term 
ticket granting ticket that includes the short-term synraietric key of the first device. 

28. (Original) A method as recited in Claim 18, wherein the step of receiving a symmetric 
session key from the second device for use in subsequent secure peer-to-peer 
communications between the first device and the second device comprises receiving a 
shared service ticket that contains the symmetric session key. 

29. (Original) A method as recited in Claim 28, further comprising the steps of: 
generating an initial request for peer-to-peer secure communication, wherein the initial 

request is directed to the second device and includes the shared service ticket; 
authenticating the second device based on the symmetric session key in the shared 
service ticket; 

conununicating one or more messages to the second device using the synraietric session 
key to encrypt or decrypt the messages. 

30. (Currently amended) A computer-readable medium carrying one or more sequences of 
instructions for distributing cryptographic keys in a network, which instructions, when 
executed by one or more processors, cause the one or more processors to carry out the 
steps of: 

providing a registration service identifier that identifies an administrative entity to a first 
non-configured network packet routing device; and providing a uniqu e id e ntifier 
of the first d e vice to tho administrativ e entity; 

providing a unique identifier of the first device to the administrative entity; 
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associating a devic e privat e k e y a device public key with the first device in a secure data 

repository that is accessible by the administrative entity; 
authenticating the first device to the administrative entitv based on the device pubhc key 

associated with the first device: 
establishing a longer-lived symmetric key for the first device; 
authenticating the first device based on receiving the longer-lived symmetric key from 

the first device; 

generating and providing a short-term symmetric key to the first device based on 
authenticating the longer-hved symmetric key; 

receiving a request from a second network packet routing device to obtain a session key 
for secure commxmications between the second device and the first device, bas e d 
on auth e nticating the short e r hv e d symm e tric k e y, wher e in th e r e quest includ e s 
th e shorter liv e d symm e tric key of th e first d e vic e : wherein the second device 
sends the request in response to receiving a request from the first device to obtain 
a session key on behalf of both the first device and the second device; 

authenticating the request from the second device based on authenticating the shorter- 
lived symmetric key of the first device, wherein the request from the second 
device includes the shorter-lived symmetric key of the first device: and 

generating and providing a symmetric session key to the second device for use in 

subsequent secure peer-to-peer commxmications between the first device and the 
second device without communication of e ith e r the first device or s e cond device 
to a key management service or authoritative authentication servicef^ 

regist e ring the first d e vic e in the n e twork at a trust e d devic e r e gistration s e rvic e ; 

m e ans for auth e nticating the first d e vic e to th e trust e d d e vice r e gistration s e rvic e ; 

m e ans for generating trusted information for th e trust e d d e vic e registration s e rvic e that 
c e rtifi e s that the first d e vic e as a Icnown d e vice within a s e curity r e ahn; and 

means for g e n e rating information id e ntifying th e devic e r e gistration s e rvice to the first 
device for uso in obtaining th e longer lived symm e tric k e y. 

3 1 . (Currently amended) An apparatus for distributing cryptographic keys in a network, 
comprising: 
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means for providing a registration service identifier that identifies an administrative 
entity to a first non-configured network packet routing device; and providing a 
uniqu e id e ntifi e r of th e first d e vic e to the administrative e ntity; 

means for providing a unique identifier of the first device to the administrative entity; 

means for associating a devic e privat e k e y a device public key with the first device in a 
secure data repository that is accessible by the administrative entity; 

means for authenticating the first device to the administrative entitv based on the device 
public kev associated with the first device: 

means for establishing a longer-lived symmetric key for the first device; 

means for authenticating the first device based on receiving the longer-lived symmetric 
key firom the first device; 

means for generating and providing a short-term symmetric key to the first device based 
on authenticating the longer-lived symmetric key; 

means for receiving a request fi*om a second network packet routing device to obtain a 
session key for secure communications between the second device and the first 
device, bas e d on auth e nticating th e shorter liv e d symmotric k e y, wh e r e in th e 
r e qu e st includes th e shorter liv e d symm e tric k e v of the first devic e : wherein the 
second device sends the request in response to receiving a request fi^om the first 
device to obtain a session kev on behalf of both the first device and the second 
device: 

means for authenticating the request fi-om the second device based on authenticating the 
shorter-lived symmetric kev of the first device, wherein the request fi-om the 
second device includes the shorter-lived symmetric key of the first device: and 

means for generating and providing a symmetric session key to the second device for use 
in subsequent secure peer-to-peer communications between the first device and 
the second devic e, wherein the first device obtains the symmetric session key 
fi-om the second device without communication of eith e r the first device or s e cond 
d e vic e to a key management service or authoritative authentication servicef. 

m e ans for r e gist e ring the first device in the n e twork at a trusted device r e gistration 
s e rvic e ; 

auth e nticating the first dovioo to the trust e d device registration sorvdco; and 
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providing trusted information to the trust e d d e vic e r e gistration s e rvice that c e rtifies that 
tho first device as a Icnown d e vic e within a s e curity r e ahn; and 

providing information id e ntifying th e d e vice registration s e rvic e to th e first d e vic e for use 
in obtaining tho longer hv e d symm e tric k e y. 

32. (Currently amended) An apparatus for distributing cryptographic keys in a data network, 
comprising: 

a network interface that is coupled to the data network for receiving one or more packet 
flows therefi-om; 
a processor; 

one or more stored sequences of instractions which, when executed by the processor, 
cause the processor to carry out the steps of: 

providing a registration service identifier that identifies an administrative entity to a first 

non-configured network packet routing device; and providing a uniqu e identifi e r 

of th e first d e vic e to th e administrativ e e ntity; 
providing a unique identifier of the first device to the administrative entity; 
associating a devic e private k e y a device public kev with the first device in a secure data 

repository that is accessible by the administrative entity; 
authenticating the first device to the administrative entity based on the device public kev 

associated with the first device: 
establishing a longer-lived symmetric key for the first device; 

authenticating the first device based on receiving the longer-lived symmetric key fi-om 
the first device; 

generating and providing a short-term symmetric key to the first device based on 
authenticating the longer-Uved symmetric key; 

receiving a request fi-om a second network packet routing device to obtain a session key 
for secure communications between the second device and the first device, based 
on auth e nticating th e short e r lived symm e tric key, wh e rein th e r e qu e st includ e s 
th e short e r liv e d symmetric k e v of th e first d e vice: wherein the second device 
sends the request in response to receiving a request from the first device to obtain 
a session kev on behalf of both the first device and the second device: 
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authenticating the request from the second device based on authenticating the shorter- 
lived symmetric key of the first device, wherein the request from the second 
device includes the shorter-lived symmetric key of the first device: and 

generating and providing a symmetric session key to the second device for use in 

subsequent secure peer-to-peer communications between the first device and the 
second device , wherein the first device obtains the symmetric session key from 
the second device without communication of e ith e r the first device or s e cond 
devic e to a key management service or authoritative authentication service^. 
regist e ring th e first d e vic e in th e n e twork at a trust e d d e vic e r e gistration s e rvic e ; 
auth e nticating th e first devic e to th e trust e d d e vic e r e gistration s e rvice; 

UlXd 

providing trust e d information to th e trust e d d e vic e registration s e rvic e that 

certifies that th e first d e vic e as a loiown d e vic e within a s e curity reahn; 

Ullvl 

providing information id e ntifiing th e d e vice r e gistration s e rvic e to the first d e vic e 
for us e in obtaining th e long e r hv e d symm e tric k e y. 
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